Certificate reference: DPA/s111/SIS 


SECTION 111 DATA PROTECTION ACT 2018 


CERTIFICATE OF THE SECRETARY OF STATE 


1. Whereas: 


1.1 


by section 110 of the Data Protection Act 2018 (‘the Act”) it is 
provided that the processing of personal data is exempt from certain 
provisions of the Act if the exemption from that provision is required 
for the purpose of safeguarding national security. For information, a 
full list of these provisions is provided at Annex A. 


1.2 by section 111(1) it is provided that a certificate signed by a Minister 
of the Crown certifying that an exemption from all or any of the 
provisions mentioned in section 110(2) is or at any time was required 
for the purpose of safeguarding national security in respect of any 
personal data shall be conclusive evidence of that fact. 

1.3. by section 111(2), it is provided that a certificate under section 111(1) 
may identify the personal data to which it applies by means of a 
general description and may be expressed to have prospective effect. 

2. And considering the potentially serious adverse repercussions for the 
national security of the United Kingdom if the exemptions hereafter identified were 
not available. 
3. And for the reasons set out below: 

3.1 The work of the intelligence services (the Security Service, the Secret 


3.2 


3.3 


Intelligence Service and the Government Communications 
Headquarters) of the Crown requires secrecy. 


The very nature of the work of the Secret Intelligence Service (SIS) 
requires exemption on national security grounds from those parts of 
the Act that would for example, limit their ability to perform their 
statutory functions and that would allow access to SIS’s premises by 
third parties. 


The general principle of neither confirming nor denying whether SIS 
processes data about an individual, or whether others are processing 
personal data for, on behalf of, with a view to assisting, working with, 
or in relation to the functions of SIS is an essential part of that 
secrecy. In dealing with requests for information or access under the 
Data Protection Act 2018, SIS will examine each individual request to 
determine: 


i) whether adherence to that general principle is required for the 
purpose of safeguarding national security; and 


ll) in the event that such adherence is not required, whether and to 
what extent the non-communication of any data or any description 
of data is required for the purpose of safeguarding national 
security. 3 


4. Now, therefore, |, the Right Hon Jeremy Hunt MP, being a Minister of the 
Crown who is a member of the Cabinet, in exercise of the powers conferred by the 
said section 111 do issue this certificate and certify as follows:- 


4.1 That any personal data that is processed by SIS as described in 
~ Column 1 in the table below is and shall continue to be required to be 
exempt from those provisions of the Act that are set out in Column 2; 


4.2 That any personal data that is processed by any other person or body 
(“third party”), as described in Column 1 in the table below, is and 
shall continue to be exempt in the circumstances specified below from 
the provisions of the Act set out in Column 2 below; 


4.3 The specified circumstances are the processing of personal data by 
the third party in the course of data processing operations carried out 
(a) for, on behalf of or at the request of SIS or (b) in relation to the 
functions of SIS described in section 1 of the Intelligence Services Act 
1994, in both cases where SIS is the data controller; 


all for the purpose of safeguarding national security, provided that: 


(i) data shall not be exempt from the provisions of sections 93 and 94 of the 
Data Protection Act 2018 if SIS, after considering any request by a data 
subject for access to relevant personal data, determines that adherence to 
the principle of neither confirming nor denying whether SIS holds that data 
about an individual is not required for the purpose of safeguarding national 
security; | 


(ii) data shall not be exempt from the provisions of sections 93(1)(b)-(d) and 
(g), 94(1)(a)-(b), 94(2)(a)-(d) and (g) and 98 of the Data Protection Act 2018 
if SIS, after considering any request by a data subject for access to relevant 
personal data, determines that non-communication of that data or any 
description of that data is not required for the purpose of safeguarding © 
national security. 


a) Personal data processing in 
performance of the functions of SIS is 
described in section 1 of the Intelligence 
Services Act 1994 including but not limited 
to: 


operational data 

data relating to human resources 
(including recruitment candidates, 
current and former members of staff 
and contractors) 


vetting-related data 


data relating to building and 
personnel security (including CCTV) 


data relating to commercial 
relationships 


b) Personal data processing under Part 4 
of the Data Protection Act by third parties, 


including but not limited to: 


other Government departments 
public authorities 
commercial organisations 


where that processing is: 

e for, on behalf of or at the request of 
SIS or in relation to its functions 
described In section 1 of the 
Intelligence Services Act 1994, and 


e SIS Is the data controller. 


Expires 


Data Protection Act 2018: 

(i) Section 86(1)(b) 

(ii) Section 89 

(iii) Section 93(1)(b)-(d) and (g) 
(iv) Section 94(1)(a)-(b), 

(v) Section 94(2)(a)-(d) and (g), 
(vi) Sections 96-97 

(vil) Section 99(1)-(3) 

(viii) Section 119 | 

(ix) Section 142 

(x) Section 146 

(xi) Section 148 

(xil) Sections 149-151 

(xiii) Section 154 

(xiv) Sections 170-173 

(xv) Schedule 13 paragraphs 1(a), (g) and 2 
(xvi) Schedule 15 


ANNEX A 


Provision Notes 


Section 86(1)(b) 


First data protection principle, duty to be fair and 
transparent 


Section 86(3) - 86(7) Remainder of the first data protection principle 
Sections 87-91 Second to sixth data protection principles 
Sections 92-100 


Section 108 Communication of a personal data breach to the 
Commissioner 
Section 119 Inspection in accordance with international obligations 


Sections 142-154 


Chapter 3, rights of the data subject 


Commissioners notices and powers of entry and 
inspection 


Sections 170-173 Offences relating to personal data 
Sections 174-176 Provisions relating to the special purposes 
13 


Schedule 
1(a), 1(g) and 2 


Schedule 15 Powers of entry and inspection 


paragraphs | Other general functions of the Commissioner 


